Michal Soltys wrote:
HenkJan Wolthuis wrote:
I'm not using .rc2 yet, i'm using dovecot-20060612 with clientcerts / crls,
I'm not sure, but maybe this is the problem: After beta8 CRLchecking was added, ssl_ca_file should be a file with the ca_cert followed by a crl. (certificate revocation list)
If this is the problem, you can:
- generate a crl, add the crl to ca_cert.pem (crl in PEM format) or
That was it. Everything works beautifully now, thanks.
I'm trying to get my setup to use certificates for identifying users and also making sure that everyone can run TLS. I have a CA that I have created an intermediate root from that in turn creates the client certificates and something is not working corrent on rc2.
My settings are these:
ssl_cert_file = /etc/ssl/postfix/server.boxed.no.pem ssl_key_file = /etc/ssl/postfix/server.boxed.no.pem ssl_ca_file = /etc/ssl/postfix/xxx.boxed.no.crt ssl_verify_client_cert = yes
and under the auth section:
ssl_require_client_cert = yes ssl_username_from_cert = yes
When running with "verbose_ssl = no" I get this in my logs when a client tries to connect:
Jul 11 06:41:17 server dovecot: Dovecot v1.0.rc2 starting up Jul 11 06:41:23 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx@boxed.no Jul 11 06:41:23 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx@boxed.no Jul 11 06:41:24 server dovecot: imap-login: Aborted login: rip=4.3.2.1, lip=1.2.3.4, TLS
But when I turn on verbose_ssl I get this:
Jul 11 06:41:45 server dovecot: Dovecot v1.0.rc2 starting up Jul 11 06:42:03 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Invalid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=Boxed Solutions CA/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Bergen/O=Boxed Solutions/CN=xxx.boxed.no/emailAddress=xxx@boxed.no Jul 11 06:42:03 server dovecot: imap-login: Valid certificate: /C=NO/ST=N/A/L=Oslo/O=Client/OU=Internal/CN=client.boxed.no/emailAddress=test@boxed.no Jul 11 06:42:04 server dovecot: imap-login: Aborted login: rip=4.3.2.1, lip=1.2.3.4, TLS
I've gone over and made sure that the CA cert is the most recent and that it includes a PEM formatted CRL at the bottom. The CA cert used is composed in the order:
- Root CA
- Intermediate CA
- CRL
Any takes as to what is not playing here?
-A